Overview
Three years ago, the Compound DAO selected OpenZeppelin as its security partner to provide auditing, advisory, and monitoring services. As 2024 has come to a close, we want to celebrate the progress we’ve made this year to protect and strengthen the Compound protocol. Below is a recap of our work across audits, advisory, and monitoring—along with some important updates for 2025 and beyond.
Auditing
Our audits kept us busy throughout 2024, with no gaps in our backlog. We supported numerous market deployments, code changes, CGP (Compound Grants Program) projects, and more. Some highlights from this past year include:
Our audit accomplishments include the following:
- Completing audits/security reviews of over 28 unique scopes that consisted of over 118 weeks of auditor time and additional preparatory and follow-up work
- Reporting 148 total issues raised in our reports (excluding proposal reviews) that include 3 Critical and 9 High issues from audits and another 7 high+ from proposal reviews
- Reviewed 175 governance proposals
- Supported deployment 13 new markets launched including 3 new chains: Optimism, Scroll and Mantle.
- Performing audits for 3 CGP grant projects and 1 CGWG initiative:
- Governance Upgrade by Scopelift and Tally
- MarketAdmin by DoDAO
- Contango
- EventHorizon franchiser
- Finding live proposal issues and working with proposal authors to address them:
- 120K Optimism bridge issue
- ENS race conditions issue
- Humpy/GoldenBoyz Trusted Intermediary and Contract Security Issues
- Woof! Sandbox Non-recourse Transfer Issues
- Various Reverts
We’re proud of our audit work to safeguard the Compound ecosystem throughout 2024. That said, we remain committed to continuously improving our processes and welcome community feedback on how we can better serve the protocol.
Advisory
In addition to audits, our security advisory services helped Compound navigate emerging challenges and improve its overall risk posture. Here are some highlights:
- Governance Attack Support - Advised on responding to Humpy’s Governance Attacks, recommending short-term fixes and long-term improvements to mitigate similar risks.
- Bug Bounty Program - Provided guidance for launching a new bug bounty program on Immunefi, ensuring the community rewards and learns from white hat disclosures effectively.
- Security Tooling Grants - Participated in the Security Tooling Domain for CGP to support and shape security-focused projects, fostering new tooling for the Compound ecosystem.
- Concluded the CGP 2.0 program with 5 security grants successfully completed.
- Transitioned to CGP 3.0 as a Domain Allocator, approving 3 new security grants to bolster the protocol’s defenses.
- Community Multi-sig Enhancements - Helping to refine operational policies, incident response procedures, and overall security controls around the Community Multi-sig. This work is currently underway through a CGP grant and the final public-version of the Multi-sig policies will be published in the coming months.
Our aim throughout 2024 was to assist the community in both day-to-day security decisions and longer-term protocol enhancements.
Monitoring
Our monitoring suite on Discord—initially developed before 2024—became even more integral this year, as we scaled coverage to additional markets and chains. Key achievements include:
- Expanded Market Coverage
- Introduced 13 new market monitoring feeds for Comet deployments, including:
- cUSDCv3 on Scroll, Base, Optimism
- cUSDTv3 on Optimism, Arbitrum, Polygon, Mainnet
- cWETHv3 on Arbitrum, Optimism
- cwstETHv3 on Mainnet
- cAEROv3 on Base
- cUSDSv3 on Mainnet
- cUSDEv3 on Mantle
- Introduced 13 new market monitoring feeds for Comet deployments, including:
- Enhanced Visibility
- Provided deeper insights into governance events, market activity, and potential anomalies. This proactive monitoring continues to empower faster security responses across all supported networks.
Looking Ahead in 2025
As we’ve moved into 2025, we’re implementing new reporting and transparency measures to keep the community well-informed:
- Unpublished Reports
- We will release previously unpublished or partial audit reports, including those that were aborted, contained unaddressed issues, or covered proposals eventually canceled.
- Faster Publication Timeline
- Starting in 2025, we’ll publish final reports to the DAO within two weeks of delivering initial results to contributors, ensuring the community has timely insights into audit findings.
These efforts underscore our commitment to open communication and continuous improvement as Compound grows and evolves.
Last but not least, we must acknowledge the departure of Michael Lewellen (@cylon) from OpenZeppelin, who has long been serving as the primary Protocol Security Advisor to the Compound DAO. Despite his long tenure, I feel confident taking over the remainder of his responsibilities and will be the main point of contact for the Compound DAO going forward.
In Summary
Throughout 2024, the Compound protocol has expanded to new chains, introduced new markets, and launched innovative features—all with no significant security incidents that disrupted operations or resulted in loss of funds. Our collaborative efforts with Alpha Growth, Gauntlet, Woof!, the Pause Guardian, the CGP and CGWG committees, and the broader community have helped maintain Compound’s reputation as one of the most robust lending protocols in DeFi.
As always, we remain grateful for the community’s input and trust. With the Compound DAO’s support, OpenZeppelin looks forward to delivering best-in-class audit, advisory, and monitoring services in 2025. We remain steadfast in our commitment to safeguarding Compound’s future as a secure, decentralized platform.
If you have any questions or feedback, feel free to engage in the Compound governance forums or Discord. Here’s to a safe and successful 2025!